Home / malwarePDF  

Win32/Critroni


First posted on 11 June 2015.
Source: Microsoft

Aliases :

There are no other names known for Win32/Critroni.

Explanation :

Threat behavior

Installation

This threat can be downloaded onto your PC Spammer:Win32/Tedroo or by exploit kits.

Once installed it injects code into system processes such as svchost.exe.

It also installs itself in the following locations:

  • %TEMP% \.exe
  • \.exe


For example, could be nwdfmog.exe.

The malware creates a task in %windir%\tasks with a random name, for example, %windir%\tasks\hdvoxzi.job.

Payload

Encrypts files

This threat can encrypt the files on your PC using a public key and change the extension of the encrypted files to .cbtl. For new variants, it adds a random 7-character extension at the end of the file name. For example: myfile.xls.mmgnmbe

It looks for and encrypts the following file types:

3fr
7z
abu
accdb
ai
arp
arw
bas
bay
bdcr
bdcu
bdd
bdp
bds
blend
bpdr
bpdu
bsdr
bsdu
c
cdr
cer
config
cpp
cr2
crt
crw
cs dbf
dbx
dcr
dd
dds
der
dng
doc
docm
docx
dwg
dxf
dxg
eps
erf
fdb
gdb
groups
gsd
gsf
ims
indd
iss
jpe
jpeg
jpg
js
kdc kwm
md
mdb
mdf
mef
mrw
nef
nrw
odb
odm
odp
ods
odt
orf
p12
p7b
p7c
pas
pdd
pdf
pef
pem
pfx
php
pl
ppt
pptm
pptx

psd
pst
ptx
pwm
py
r3d
raf
rar
raw
rgx
rik
rtf
rw2
rwl
safe
sql
srf
srw
txt
vsd
wb2
wpd
wps
xlk
xls
xlsb
xlsm
xlsx
zip



After it locks your files, earlier versions of this malware display a message similar those shown below with English and Russian translations. The message lists the files that have been encrypted on your PC. It directs you to a Tor webpage asking for payment using BitCoin as currency. It claims that once you have paid you will be able to recover the files using a personal link.

The message can be in either a window or a file that it drops into folders where it encrypts your files. We have seen it use the following file names:

  • !Decrypt-All-Files-.txt
  • !Decrypt-All-Files-.bmp














The latest versions of this malware also can display a message written in anumber of languages, including Dutch, Italian, German, Lativan and Spanish:













The threat also replaces your desktop wallpaper with instructions on how to pay using Bitcoin as currency:









Analysis by Marianne Mallen

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a message similar to those shown above

Last update 11 June 2015

 

TOP